Support multiple API keys

[chucker]

Is your feature request related to a problem? Please describe.

Currently, the recommended approach to authentication is an API key. However, this only enables you to set one API key for your entire staff. This requires key rotation as soon as one staffer leaks the key and/or leaves the team.

Describe the solution you'd like

Therefore, what I would like is simply the — optional — ability to define multiple API keys, e.g.:

  "ApiKeys": [
    {
      "User": "Frank",
      "Key": "asd"
    },
    {
      "User": "Sarah",
      "Key": "qwe"
    },
    {
      "User": "Kim",
      "Key": "zxc"
    },
  ]

On a technical level,

• ApiKeys has precedence over ApiKey, if present.
• The code only really cares about the Key property. The User property is human metadata.

Describe alternatives you've considered

What we do now instead is use IIS to setup HTTP basic auth, but unfortunately, NuGet (whether through dotnet, VS, or Rider) handles HTTP auth very poorly. The recommended path for them, too, appears to be API keys.

[Regenhardt]

This is now possible using BaGetter 1.5.0 with bagetter#156 merged. It does only support this simple use case for now, but may be extended with scopes or permissions in the future. The creator has had it running for some time now, but more people testing this big of a feature are always welcome.

[chenzuo]

this is a very useful private feature for a small team. regarding the issue of key leakage, I think you can add some features to protect it, such as the key protection method implemented eg.Nuget. i think this feature can meet the needs of many teams.